You are here:
Verify OAuth Policy and Settings Generation
When the OAuth Plugin is deployed, several external client app components are generated. There are a few places you can check to verify if the deployment was successful.
Find the Consumer Key and Secret
Open the external client app global OAuth settings file. The file name is [ECAPP_OAUTH_SETTINGS].ecaGlblOauth-meta.xml, for example, myecasettings.ecameta.xml, and it’s found in a directory called extlClntAppGlobalOauthSets. Verify that the consumerKey and consumerSecret fields have values.
<?xml version="1.0" encoding="UTF-8"?>
<ExtlClntAppGlobalOauthSettings xmlns="http://soap.sforce.com/2006/04/metadata">
<callbackUrl>https://www.example.com</callbackUrl>
<consumerKey>YOUR_EXTERNAL_CLIENT_APP_OAUTH_CONSUMER_KEY</consumerKey>
<consumerSecret>YOUR_EXTERNAL_CLIENT_APP_OAUTH_CONSUMER_SECRET</consumerSecret>
<externalClientApplication>myeca</externalClientApplication>
<idTokenConfig>
<idTokenAudience>SalesforceAudience</idTokenAudience>
<idTokenIncludeStandardClaims>true</idTokenIncludeStandardClaims>
<idTokenValidityInMinutes>0</idTokenValidityInMinutes>
</idTokenConfig>
<isClientCredentialEnabled>false</isClientCredentialEnabled>
<isConsumerSecretOptional>false</isConsumerSecretOptional>
<isIntrospectAllTokens>false</isIntrospectAllTokens>
<isSecretRequiredForRefreshToken>false</isSecretRequiredForRefreshToken>
<label>myecaglobalset</label>
<singleLogoutUrl>https://www.example.com</singleLogoutUrl>
</ExtlClntAppGlobalOauthSettings>Find the OAuth Link Field
In the external client apps OAuth settings file, verify that the oauthlink field now has an auto-generated value that combines the org ID and the OAuth Consumer ID.
<?xml version="1.0" encoding="UTF-8"?>
<ExtlClntAppOauthSettings xmlns="http://soap.sforce.com/2006/04/metadata">
<externalClientApplication>myeca</externalClientApplication>
<label>myecaset</label>
<trustedIpRanges>
<startIpAddress>10.55.2.0</startIpAddress>
<endIpAddress>10.55.2.255</endIpAddress>
<description>IP range A</description>
</trustedIpRanges>
<trustedIpRanges>
<startIpAddress>10.55.12.0</startIpAddress>
<endIpAddress>10.55.12.255</endIpAddress>
</trustedIpRanges>
<commaSeparatedOauthScopes>Basic, Web, RefreshToken</commaSeparatedOauthScopes>
<oauthLink>00Bxx0000006JuB:888xx0000004CQ4</oauthLink>
</ExtlClntAppOauthSettings>Find the OAuth Policy File
When the external client app OAuth settings and global OAuth settings file changes are deployed, the external client app generates an OAuth Policy file called [ECAPP_OAUTH_POLICY].ecaOauthPlcy-meta.xml in the oauthPolicies folder. The auto-generated file includes these values.
| Field | Description |
|---|---|
| label | This field is required. Type: String. Default value: SpecificLifetime. The name of the
external client app OAuth policy. |
| refreshTokenPolicyType | This field is optional. Type: String. Values: Infinite, Zero, SpecificLifetime, SpecificInactivity |
| refreshTokenValidityPeriod | This field is optional. Type: Integer |
| refreshTokenValidityUnit | This field is optional. Type: String. Values: Days, Hours, Months |
| ipRelaxationPolicyType | This field is optional. Type: String. The policy that determines
IP restrictions. Values: Enforce, Bypass,
Bypass_2factor, Enforce_RelaxRefresh |
| permittedUsersPolicyType | This field is optional. Type: String. Values: AllSelfAuthorized, AdminApprovedPreAuthorized |
| commaSeparatedPermissionSet | This field is optional. Type: String. Comma-separated permission set IDs. |
| externalClientApplication | This field is required. Type: String. Name of the external client app. |
| sessionTimeoutInMinutes | This field is optional. Type: Integer. Length of time the external client app’s session lasts |
| requiredSessionLevel | This field is optional. Type: Values: LOW, STANDARD,
HIGH_ASSURANCE |
| policyAction | This field is optional. Type: String. Values: Block, RaiseSessionLevel |
| singleLogoutUrl | This field is optional. Type: String. URL where Salesforce sends a logout request when users log out of Salesforce. |
| startUrl | This field is optional. Type: String. If the app isn’t accessed from a mobile device, users are directed to this URL after they authenticate. |
The OAuth settings and policy details are similar to connected apps. This example shows an OAuth policies file.
<?xml version="1.0" encoding="UTF-8"?>
<ExtlClntAppOauthConfigurablePolicies xmlns="http://soap.sforce.com/2006/04/metadata">
<externalClientApplication>myeca</externalClientApplication>
<label>myecapolicy</label>
<refreshTokenPolicyType>SpecificLifetime</refreshTokenPolicyType>
<refreshTokenValidityPeriod>1</refreshTokenValidityPeriod>
<refreshTokenValidityUnit>Days</refreshTokenValidityUnit>
<ipRelaxationPolicyType>Enforce</ipRelaxationPolicyType>
<permittedUsersPolicyType>AdminApprovedPreAuthorized</permittedUsersPolicyType>
<commaSeparatedPermissionSet></commaSeparatedPermissionSet>
<sessionTimeoutInMinutes>1</sessionTimeoutInMinutes>
<requiredSessionLevel>HIGH_ASSURANCE</requiredSessionLevel>
<policyAction>RaiseSessionLevel</policyAction>
<singleLogoutUrl>https://www.example.com</singleLogoutUrl>
<startUrl>https://www.example.com</startUrl>
</ExtlClntAppOauthConfigurablePolicies>